Use iRulke to extract X-Forwarded out of HTTP packet

Aaron,

 

I havnt changed to much. I have a basic HTTP profile with the iRule applied still SNAT and the back end server still configured NOT to use the LTM as Def Gateway.

 

If I dont use the iRule you posted above with the HTTP profile I only get a single pcket with the IP addres of the LTM. Using the iRule above my first packet contains the X-Forwarded-for but then reverts back to the LTM.

 

 

 

 

So it sounds like the client is making more than one HTTP request on the same TCP connection. If that happens, the HTTP profile and iRule would no longer be enabled, so the XFF header would not be inserted. That's the downside to disabling the HTTP profile.

 

 

If you want to insert the XFF header in every request on a TCP connection, you would need to collect the TCP payload and search every packet for some delimiter like HTTP/1.0\r\n or HTTP/1.1\r\n and replace it with HTTP/1.x\r\nX-Forwarded-For: [IP::client_addr]\r\n where x is the HTTP version. You could also potentially do this with a stream profile as the HTTP headers (not the payload) would be modified.

 

 

The easiest option though would be to change the servers' default gateway and remove the SNAT.

 

 

Aaron

Aaron,

 

Thats works a treat. I have other apps on that server(s) so need to check routnign/networking works and any issues....but initally looks OK...

 

I am hopign I will not hit a problem and the F5 will be able to deal with any routing/gateway issues .

 

You'll need to configure a virtual server or SNAT to allow the servers to originate traffic through LTM. The best option would be to configure a virtual server which points to a pool of one or more gateways with a FastL4 profile. You may need to enable SNAT on the outbound virtual server to ensure responses go back through LTM. You should also enable the outbound virtual server only on the servers' VLAN. This will ensure that only the servers will be able to use this VIP to route through LTM.

 

 

Aaron